Supply Chain Compromise

<aside> ⚠️

CLICK DUPLICATE BUTTON TO START USING THE TEMPLATE

</aside>

<aside> 🎯

Objective: Evaluate your organization's resilience against supply chain attacks by simulating how attackers can compromise trusted third-party relationships to bypass your security controls and gain access to systems and data.

</aside>

Pre-Exercise Planning

Supply Chain Attack Vector Selection Matrix

Select the most appropriate attack vectors based on your organization's vendor ecosystem:

Attack Vector	Complexity	Detection Difficulty	Impact Potential	Best For
Vendor Account Compromise	Medium	High	Very High	Testing vendor access controls
Software Dependency Attack	High	Very High	Critical	Testing software delivery pipeline
Update Infrastructure Compromise	High	High	Critical	Testing patch management process
Third-Party API/Service Attack	Medium	Medium	High	Testing integrated services
Vendor Network Compromise	High	Medium	High	Testing network trust relationships
Hardware/Firmware Supply Chain	Very High	Very High	Critical	Advanced security programs

Scope Definition Framework

Target Selection Criteria

Target Type	Risk Level	Value for Assessment	Selection Criteria
Critical Vendors	High	Very High	Vendors with admin access or critical data access
SaaS Providers	Medium-High	High	Cloud services with sensitive data or wide access
Software Providers	Medium	High	Applications used in critical business processes
Development Dependencies	Medium	Medium-High	Libraries, frameworks used in internal applications
Managed Service Providers	High	Very High	Providers with privileged network/system access
Hardware/Device Vendors	Medium	Medium	Device firmware, IoT, or specialized hardware

Exercise Boundary Definition

Boundary Type	Description	Example Constraints
Simulation Boundaries	Which attacks to simulate vs. emulate	No actual vendor compromise, simulate with authorized access
Target Boundaries	Which vendors/services in scope	Only top 5 critical vendors by risk assessment
Technical Boundaries	Technical limits on testing	No destruction of data, no actual malware deployment
Notification Boundaries	Who is aware of the exercise	Notify security team but not vendor management team
Time Boundaries	When testing can occur	Business hours only, specific testing window

Timeline and Milestones

Planning Phase: 3-4 weeks (scoping, vendor identification, risk assessment)
Preparation Phase: 2-3 weeks (scenario development, tool preparation)
Execution Window: 2-4 weeks (based on attack complexity)
Analysis Phase: 1-2 weeks (evidence review, impact assessment)
Reporting Phase: 1-2 weeks (documentation, remediation planning)
Vendor Engagement: Optional additional 2-4 weeks (collaborative remediation)